Analysis
-
max time kernel
84s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
03/06/2024, 01:18
General
-
Target
980f1137038841d2e222313aaf80450ce810c2562cb2cde8d478ffc6d72c8ddd.exe
-
Size
55KB
-
MD5
2fd7c86ec51e6a27e4d6ffd9103de424
-
SHA1
f0e030aaebbeb73d905bf0bf28d8360c135ace65
-
SHA256
980f1137038841d2e222313aaf80450ce810c2562cb2cde8d478ffc6d72c8ddd
-
SHA512
b9a6652eb45ecd9974f606eb0dca11ced68d5b5a0e5b73e73c0d99723b33f55284ef31a1a9e32ca93e4dacb983fc92fb3df8e0b4ee8c26ea8ecc0aa6d140e376
-
SSDEEP
1536:XU6JhlQvW4R8ZDW2OsdCj7VhJ/YY5rInouy8r:XRhlARSOsdwD/98out
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 64 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 64 IoCs
-
UAC bypass 3 TTPs 64 IoCs
-
UPX dump on OEP (original entry point) 56 IoCs
-
Disables RegEdit via registry modification 64 IoCs
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs 64 IoCs
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 64 IoCs
-
Modifies system executable filetype association 2 TTPs 64 IoCs
-
Adds Run key to start application 2 TTPs 64 IoCs
-
Checks whether UAC is enabled 1 TTPs 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Modifies registry class 64 IoCs
-
Runs ping.exe 1 TTPs 64 IoCs
-
Suspicious use of FindShellTrayWindow 62 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\980f1137038841d2e222313aaf80450ce810c2562cb2cde8d478ffc6d72c8ddd.exe"C:\Users\Admin\AppData\Local\Temp\980f1137038841d2e222313aaf80450ce810c2562cb2cde8d478ffc6d72c8ddd.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Loads dropped DLL
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe7⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12106⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe6⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Executes dropped EXE
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe7⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Executes dropped EXE
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe7⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12106⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe6⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe7⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe7⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12106⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe6⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen5⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13405⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13405⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12105⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe5⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe5⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe5⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe5⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe5⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe5⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe7⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe7⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12106⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe6⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~5⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen5⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13405⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13405⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12105⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe5⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe5⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe5⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe5⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe5⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe5⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe7⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12109⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe9⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe7⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12106⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe6⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12109⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe9⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12109⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe9⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe7⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12109⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe9⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12109⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe9⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe7⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12109⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe9⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe7⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12106⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe6⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe9⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~10⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen10⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134010⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134010⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 121010⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe10⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe10⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe10⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe10⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe10⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe10⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12109⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe9⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe9⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~10⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen10⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134010⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134010⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 121010⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe10⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe10⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe10⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe10⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe10⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe10⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12109⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe9⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe9⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~10⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen10⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134010⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134010⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 121010⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe10⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe10⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe10⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe10⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe10⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe10⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12109⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe9⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe9⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~10⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen10⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134010⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134010⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 121010⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe10⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe10⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe10⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe10⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe10⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe10⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12109⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe9⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe9⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~10⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen10⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134010⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134010⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 121010⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe10⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe10⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe10⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe10⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe10⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe10⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12109⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe9⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe9⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~10⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe11⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe11⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe11⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe11⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe11⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~11⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen11⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134011⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134011⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 121011⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe11⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe11⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen10⤵
- Suspicious use of FindShellTrayWindow
-
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe7⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe7⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12106⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe6⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen5⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13405⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13405⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12105⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe5⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe5⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe5⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe5⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe5⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe5⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~4⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen4⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13404⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13404⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12104⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe4⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe4⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe4⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe4⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe4⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe4⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe3⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe3⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe3⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~3⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen3⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13403⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13403⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12103⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe3⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe3⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe3⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe3⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe3⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe3⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe2⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe2⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe2⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe2⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~2⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen2⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13402⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13402⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12102⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe2⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe2⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe2⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe2⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe2⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe2⤵
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-724047921-1258145671563304364-17640621971457124975150419689215073116231431891156"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "6786799631130230974629653068-1645279287-1285484547-276113391812637532-270360929"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-979929630-1762432957-388293719317624448-949337941-563386382-1618204232126346027"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "488917575-5544671482122649088-14916502291773491108-991908736-3680851667960677"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "130140603-1428908828-17679773562053309413-376965660-12327768641169856650-968120596"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2104138946-14083925631328259241-38584518-11529784207638617-1908074682-1065148480"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-452957591-404696981445775306-1324768087-1286214408-1441709424-17616923861319717465"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "6253334201919878845-876417169495000251984528113-1560366588-9058500792052568093"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-4434100591951512518-482135531-1473590356-3188398711272615033688315992-745042819"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2600104571779731376-1485729015-1597709623890222280-1142854228-562583292-2067670854"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "908815927170352855656813414-88709991-19379803917311989310641377371169209107"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-816559182-18418707531100784954-1345939730-1178345815-2137965875-295406651-751176454"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-163899760358582477314807566154900347811572172589-2076783866-932387055-287318795"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1185862307-702745547-9070130132053861051-5921908081178744381647945306-1004681219"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "147643639-362432304-15305606111468618135298918913-3786185508627721381999283890"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-37710811611384951171071561-1856024289-2299473602117887283-21456189471823784018"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-436198334282250739-494859314-10040964021854322414-20039271885598247801911480928"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2038112736-1830985793159181925385223618-359707279-2003579942392578761198060933"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "214175074985660672069773156-19498845591547715356803816142-73554404-1073638305"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-367495920-274487409760044442784026294-642973732128364202010939580901361990267"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1803321104851016457-6696393361300460444603982347480687397-1538365746857848987"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-18318659172001922108743275280135374551682621105871033173118346553291396973474"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-814973371-262541616-1088289389-999979692-2015459262-10271897351301197264-774716802"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1032849225494689330-20143980241908584792-1266137297-294324096-1298775594714354058"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-920626131-1468168170474254080-1892156178274915291-1905845785485691088516449297"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "11068669681597410326-774393853-1982047001156315241-67869078019248345651610755077"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "552451529-1728550138-969174402-1582548364-9132590520485593081167662537-350321832"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-830955255-304067402-10348911591597674236778912845-1826695893-14698241362073796021"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1481966782-812318518619351584-5493611731147404908-12301467851049390752-753631585"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "6638588201136886899714975585140749794714795638581215101522075447301-1467551907"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "836828957-382615143-1827417917442171412123862401-998388560267715303-1480703556"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "99517716313107378071535075640-572625688643070516-1882461994-51512742-692449669"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1579880163-167367409315653522551280800785-566592239763983023462350171512866674"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2131878111064470241-1537989774-192320924-14493220292049201919-500231196-1411535300"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-6008324891520685014539317752045534489-12214244001735449237-872921772325677987"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1067108992-322560953165003370621313123881506684993212442214-6850179382124903897"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1237574426802805669-79935137-11035026858073702011293007429-1902949363-2011841604"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1463989523294008476-1301369655-12605348111109814629903820396-266734916-860144513"1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
55KB
MD50df79acfdf210f539553665b7dcc2836
SHA1b79d802d5413d0cf0ad1239855a3059ddcfe419a
SHA256cc6e5f6cf29fedad201874174d8968bbf37bda5217b3087c00b9529748fb1090
SHA5125701b7dafff29a8d9b8bb6a57cbc442eae029038bd4742d457dd8b705fa828f4c7ac2430ea5cf354ece5b2482d15be17bce60b97b4a802a29b20f1278136e1f6
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB